Security Awareness Blog

[Editor's Note: This blog is from Janet Roberts at Progressive Insurance and is part of a new series where we get insight from other security awareness professionals. Every organization and their security awareness program is different. As such, every organization has a different story to tell and different lessons learned to share. This is one of those stories.]

It's moved from sharing across a backyard fence to the telephone to the Twitter, IM, Facebook and email along the Internet superhighway, but "word of mouth" is still a really powerful tool in creating interest and ultimately buy-in for a project or program.

When I was challenged with building our security awareness program two years ago, I went out and benchmarked with a number of other companies, wrote a white paper complete with information on how much data we needed to protect, how many attempts were made on our system from the outside, and much more. I elevated the report to our CSO and he took it to other execs. I was asking for a budget. I got interest and an OK to move forward, but I needed to show something more to get what I was requesting. So I decided while I was asking the CSO to evangelize from the top, I'd try to create a groundswell of grassroots interest at the bottom.

I created this quirky little program we call PIE — Personal Protection, Identity Theft, Electronic Data. It's a lunch-and-learn, in-person, workshop program and .....yes!....we serve pie. Each employee gets a slice of pie, a folder filled with tip sheets and screenshots on how to reach our Intranet site, and a chance to talk to a security professional.

We felt if we put a face on Security, did something a little quirky they won't expect us to do, and tailored the workshops toward employees personal interest and needs while layering in how it applies at work too, we'd get people talking. It was daunting to figure out how to get three presenters to six large site locations nationwide in a year, educate as many of our 24,000 people as possible, and keep the cost really low. Our physical security site managers became the point people for set up at each location, attendees volunteered to help, and our cafeteria service provided pie (with plates, napkins and utensils).

We are almost done, wrapping up our first year and we have two site locations to go in 4Q. Sometimes the attendance is good, sometimes low, but each time we get scores of "9" or "10" on the evaluations (high scores), lots of compliments and request for more, more, more. Many employees re-teach what they've learned to their co-workers, talk to their managers about PIE, and come back with requests for additional workshops for smaller groups. As we plan PIE — 2013, we find ourselves with the enviable problem of higher demand than we have resources to accommodate. We're adding volunteer presenters and talking about giving away door prizes. And leaders in our company are listening and watching. From PIE, I was given the go ahead to run a companywide survey and I'm looking at getting funding for a small ambassador program. At one PIE workshop, where the evaluation asked if the employee had taken our violence risk awareness training, resulted in permission to engage a vendor to build updated VRA training

Will something like this work for you?

Ask yourself how to create a situation where word of mouth takes the message from employees to managers that they want awareness information and training.

Ask yourself if you can extract research or employees' opinions from the project or situation that will support other projects you want to move forward (like new VRA training for us)?

Ask yourself if you can support online training, tip sheets, and other computer led awareness initiatives with in-person training or town hall meetings or other types of person-to-person efforts?

Share what you've done or are thinking of doing to help others engage the eternal power of "word of mouth" communications.

BIO: Janet Roberts is the security awareness program lead at Progressive Insurance where she's been building the company's first Security Awareness Program since 2010. For four years Prior to taking on the challenge of building the awareness program, she was a senior communications consultant in Progressive's marketing/communications group, supporting a number of corporate groups including Enterprise Security. Today she juggles communications support for all groups under the CFO and running the security awareness program.